[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: "john ipsec" <ipsec123@hotmail.com>
Subject: Re: Why can't ESP authenticate IP header?
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Fri, 21 Sep 2001 18:18:08 -0400
cc: kent@bbn.com, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Fri, 21 Sep 2001 17:57:37 EDT." <F380F3praZfBGagwiIq00002670@hotmail.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> How can it provide "data origin authentication" in transport mode?

By allowing SA's to have a source address attribute and checking this
on receipt (as suggested by Steve Bellovin a long time ago).

You don't need to include the source address in the hash function if
you do a literal compare between the packet source address and the
source address of the SA.

Solaris's IPsec does this.

						- Bill

Follow-Ups:

Re: Why can't ESP authenticate IP header?

From: Pravin Kantak <pravin@intotoinc.com>

References:

Re: Why can't ESP authenticate IP header?

From: "john ipsec" <ipsec123@hotmail.com>

Prev by Date: RE: Why can't ESP authenticate IP header?
Next by Date: Re: Why can't ESP authenticate IP header?
Prev by thread: Re: Why can't ESP authenticate IP header?
Next by thread: Re: Why can't ESP authenticate IP header?
Index(es):
- Main
- Thread